Empire – Your best Friend to Secure Your Systems

@harmj0y@jaredcatkinson

I am @harmj0yOffensive Engineer and Red Teamer

Developer: Veil-Framework, PowerView, PowerUp, Empire/Empyre, BloodHound

Speaker: DEF CON, BlueHat IL, DerbyCon, et al.

Other: Microsoft PowerShell/CDM MVP, BlackHat Trainer

Hello!

I am @jaredcatkinsonForensicator, Incident Responder, and Hunter

Developer: PowerForensics, Uproot IDS

Speaker: 44CON, BSides DC, PowerShell Summit, PS Conference EU

Other: U.S. Air Force Hunt Team, Microsoft PowerShell/CDM MVP, BlackHat Trainer

Hello!

Offensive and Defensive Philosophy

Building an Empire

Uprooting the Adversary

PowerForensics

Demos!

tl;dr

Offensive and Defensive Philosophy

1

“

“Fundamentally, if someone wants to get in, they’re getting in…accept

that. What we tell clients is: Number one, you’re in fight,

whether you thought you were or not. Number two, you almost

certainly are penetrated.”

Michael HaydenFormer Director of NSA & CIAMicrosoft Enterprise Cloud Red Teaming Whitepaper

◉ For offense:○ Focus on post-exploitation○ “Blend with the noise” to slip under the blue team’s

detections

◉ For defense:○ Proactively hunt for malicious actors○ “Blend with the noise” to slip under the actor’s

detections

“Assume Breach”

◉ Focus on blending in with normal host and network actions

◉ For offense:○ Utilize built in capabilities○ Powershell.exe, WMI, msbuild, netsh, etc.

◉ For defense:○ WMI, ETW○ Raw disk handles to minimize the trust required for

other build in actions that may tip your hand

Living Off the Land

◉ “Microsoft’s post-exploitation language” -@obscuresec

◉ PowerShell provides, out of the box:○ Full .NET access○ Direct access to the Win32 API○ Ability to assemble malicious (or defensive) binaries

and capabilities in memory○ Default installation on Windows 7+!

Why PowerShell?

◉ We want to show how to how PowerShell can be used to both break and secure your enterprise systems

◉ We will walk through some of PowerShell Empire’s offensive capabilities, Uproot’s intrusion detections, and using PowerForensics’ post-analysis abilities

Our Goal

Building An EmpireWith PowerShell

2

◉ Empire would not be possible without the help and phenomenal work from:○ PowerSploit by @mattifestation, @obscuresec and

@JosephBialek○ Posh-SecMod by @Carlos_Perez○ UnmanagedPowerShell by @tifkin_○ Mimikatz by @gentilkiwi and Vincent LE TOUX

◉ Everyone who contributed modules, bugs, fixes, and time! You all rock!

First Things First

What Is Empire?

◉ Empire is a fully-featured PowerShell (and Python!) based remote access trojan (RAT) released at BSides LV 2015

◉ Provides a rich set of post-exploitation actions in line with the “assume breach” philosophy

Why Build This?

◉ Started as a thought exercise!

◉ We wanted to:○ Provide a rapidly extensible platform to integrate

offensive/defensive PowerShell work○ Build a platform that’s easily customizable○ Train defenders on the capabilities of offensive

PowerShell!

^ the guy who invented PowerShell

◉ Asynchronous communications○ GET/POST tasking structure

◉ We care about crypto!○ “Perfect forward secrecy” w/ encrypted key exchange

◉ Modularity○ Common module format w/ a variety of options○ Post-exploitation modules can be loaded and removed

live

Empire Design Decisions

Empire Capabilities

◉ code_execution - ways to run more code◉ collection - post exploitation data collection◉ credentials - collect and use creds◉ lateral_movement - move around the network◉ management - host management and auxiliary◉ persistence - survive the reboot◉ privesc - escalation capabilities◉ situational_awareness - network awareness◉ trollsploit - have fun with defenders :)

Empire 2.0

Empire/EmPyre

Wanted one single controller for our Python Linux/OS X agents and PowerShell agents.

Modularize C2

Expandable listeners that you can drag/drop into the framework for additional transports.

Code Rot

Fix our past mistakes and build a foundation for the future viability of the project.

Modular C2

◉ Previously, listeners were hard integrated into the code base, adding transports was extremely difficult

◉ Now listeners are encapsulated in self-contained modules○ Allows you to drag/drop modules into the

framework just like post-exploitation modules

◉ Can even use third-party sites like...

Uproot IDS3

WMI Introduction

◉ Windows Management Instrumentation◉ Microsoft’s Implementation of Common Information

Model Standard◉ Allows administrators to query system information:

○ System○ Applications○ Hardware○ Networks

◉ PowerShell allows simple interface○ Get-WmiObject○ Get-CimInstance

WMI Event Subscriptions

◉ WMI interface for monitoring changes to the model◉ Classes built specifically for event monitoring◉ Subscriptions are persistent

○ Maintained in the WMI Repository

◉ Built with troubleshooting in mind, but:○ Attackers leverage for persistence○ Defenders leverage for Intrusion Detection

◉ Three parts to a subscription:○ Filter○ Consumer○ Binding

Uproot Introduction

◉ Intrusion Detection System Leverages WMI Permanent Event Subscriptions to detect:○ General System Information○ Introduction of Persistence○ Lateral Movement

◉ Abstracts complexity of permanent WMI Event Subscriptions○ Register-PermanentWmiEvent

◉ Reports Events via:○ Windows Event Log (Ideal)○ HTTP POST (Splunk or ELK)○ Flat Log File

◉ Real time monitoring (Push vs. Pull)○ Pull - Query data from a centralized point ○ Push - Endpoint agent sends data to centralized location

◉ Removes blind spots between “pulls”◉ Monitoring is distributed to endpoints instead of server◉ Requires some sort of presence (agent) on the endpoint◉ Built in monitoring capabilities

○ WMI Event Subscriptions○ Event Tracing for Windows (ETW)

Intrusion Detection

Basics - Filter

◉ __EventFilter○ defines the event to detect using WMI Query Language (WQL)

◉ Event filter example:○ SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2○ SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName LIKE

'%chrome%'○ SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE

TargetInstance ISA 'Win32_Service' and TargetInstance.State = 'Running‘○ SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE

TargetInstance ISA 'Win32_StartupCommand'

Basics - Consumer

◉ __EventConsumer○ ActiveScriptEventConsumer

■ runs a predefined script in an arbitrary scripting language○ CommandLineEventConsumer

■ starts an arbitrary process in the local system○ LogFileEventConsumer

■ writes customized strings to a text log file○ NTEventLogEventConsumer

■ logs a specific message to the operating system event log○ SMTPEventConsumer

■ sends an email message by using Simple Mail Transfer Protocol (SMTP)

Basics - Binding

◉ __FilterToConsumerBinding○ Registration of permanent event consumers to relate an instance

of the __EventConsumer to an instance of __EventFilter

Binding

Filter Consumer

Forensicating with PowerShell

4

◉ PowerShell Module for Live Forensic Investigation◉ Binary Module (Compiled C# DLL)◉ Minimizes Use of Operating System APIs◉ .NET Core Compatible (Windows, MacOS, *nix)◉ Currently Parses:

○ NTFS and FAT Data Structures○ Windows Specific Data Structures

■ Windows Registry■ Windows Event Log■ Scheduled Jobs■ Prefetch Files

PowerForensics Introduction

Design Decisions

◉ Forensically sound◉ Parse raw disk structures◉ Don’t alter NTFS timestamps◉ Can execute on a live (running) host◉ Operationally fast

○ Collect forensic data in seconds or minutes

◉ Modular capabilities○ Cmdlets perform discrete tasks and can be tied together for

more complicated tasks

◉ Capable of working remotely

Getting the Data

◉ Create read handle to Physical Disk/Logical Volume○ CreateFile API (Windows)○ Open API (Mac/*nix)

◉ Read from the Handle○ FileStream Read Method

Forensic Timelining

◉ Investigate file system activity temporally◉ Aggregate artifacts from different sources:

○ Master File Table○ UsnJrnl○ Registry○ Prefetch○ Event Logs

PowerForensics Portable

◉ Allows PowerForensics to be run on remote system◉ Loads the PowerForensics Assembly in Memory◉ Assembly exposes public API to query data

Attacking and Defending with PowerShell

5

Other Detections

PreviousTalks

http://bit.ly/2kFItwg

Any questions ?You can find us at

◉ @harmj0y (will [at] harmj0y.net)◉ @jaredcatkinson (jared [at] invoke-ir.com)

Thanks!